Class StackPivot

Class Documentation

class StackPivot

Represents a potential stack pivot gadget or sequence of gadgets.

Represents a mechanism for changing the stack pointer (RSP) during exploit execution.

This class encapsulates information about different types of stack pivots (one-gadget, push/pop) and provides methods to apply them to a payload.

This class encapsulates different types of stack pivoting gadgets, such as one-gadget pivots or combined push-indirect/pop-RSP pivots. It provides functionality to describe the pivot, get relevant offsets, and apply the pivot’s effects to a payload buffer.

Public Functions

StackPivot(const OneGadgetPivot &one_gadget)

Constructs a StackPivot from a OneGadgetPivot.

Parameters:

one_gadget – The OneGadgetPivot to use.

StackPivot(const PushIndirectPivot &push_gadget, const PopRspPivot &pop_gadget)

Constructs a StackPivot from a PushIndirectPivot and a PopRspPivot.

Parameters:
std::string GetDescription(bool include_clobbers = true) const

Gets a string description of the stack pivot.

Parameters:

include_clobbers – Whether to include information about clobbered offsets in the description.

Throws:

ExpKitError – if the StackPivot is in an invalid state.

Returns:

A string describing the stack pivot.

uint64_t GetGadgetOffset()

Gets the address of the primary gadget in the stack pivot.

Returns:

The address of the primary gadget.

uint64_t GetDestinationOffset() const

Gets the destination offset within the buffer where the pivot will transfer execution.

This is typically the location where the next instruction or ROP chain should be placed.

Returns:

The destination offset.

void ApplyToPayload(Payload &payload, uint64_t kaslr_base)

Applies the stack pivot to a given payload.

Parameters:

  • payload – The Payload object to modify.

  • kaslr_base – The KASLR base address.

StackPivot(const OneGadgetPivot &one_gadget)

Constructs a StackPivot instance representing a one-gadget pivot.

Parameters:

one_gadget – The OneGadgetPivot structure describing the gadget.

StackPivot(const PushIndirectPivot &push_gadget, const PopRspPivot &pop_gadget)

Constructs a StackPivot instance representing a push-indirect and pop-RSP pivot combination.

Parameters:
std::string GetDescription(bool include_clobbers = true) const

Generates a human-readable description of the stack pivot.

This description includes details about the gadget’s address, registers used, destination, and optionally a list of clobbered offsets.

Parameters:

include_clobbers – If true, include a list of clobbered stack offsets in the description.

Throws:

ExpKitError – if the pivot instance is in an invalid state (neither one-gadget nor push/pop combination).

Returns:

A std::string containing the pivot’s description.

uint64_t GetGadgetOffset()

Returns the address of the primary gadget used for the pivot.

For a one-gadget pivot, this is the one-gadget’s address. For a push-indirect/pop-RSP pivot, this is the address of the push-indirect gadget.

Returns:

The 64-bit unsigned integer address of the pivot gadget.

uint64_t GetDestinationOffset() const

Returns the offset within the payload where the stack is intended to land.

For a one-gadget pivot, this is one_gadget_->next_rip_offset. For a push-indirect/pop-RSP pivot, this is pop_gadget_->next_rip_offset.

Returns:

The 64-bit unsigned integer offset within the payload.

void ApplyToPayload(Payload &payload, uint64_t kaslr_base)

Applies the effects of the stack pivot to a given payload.

This involves setting up the payload to execute the pivot, and reserving any stack offsets that might be clobbered by the pivot’s execution.

Parameters:

  • payload – A reference to the Payload object to modify.

  • kaslr_base – The Kernel Address Space Layout Randomization base address, used to calculate absolute gadget addresses.